I've got a PIX 515(6.2.2)with a mail server on the inside and a dns forwarder with the local zone also on the inside. I have added an email gateway filter to the dmz that forwards to the inside mail server. Some of my PIX config is as follows.
name 10.51.x.a mailserv
name 192.168.x.b mailgate
name 10.51.x.c dns1
access-list outside permit tcp any host 208.8.x.b eq smtp
access-list DMZ permit tcp any any eq smtp
access-list DMZ1 permit udp host mailgate host dns1 eq domain
ip address outside 208.8.x.a 255.255.255.0
ip address inside 10.51.x.a 255.255.254.0
ip address DMZ 192.168.x.a 255.255.255.0
global (outside) 1 interface
global (DMZ) 1 interface
global (DMZ) 1 192.168.100.100
static (DMZ,outside) 208.8.x.b mailgate netmask 255.255.255.255 0 0
static (inside,DMZ) mailgate mailgate netmask 255.255.255.255 0 0
static (inside,DMZ) dns1 dns1 netmask 255.255.255.255 0 0
static (inside,DMZ) mailserv mailserv netmask 255.255.255.255 0 0
And in the future I will be adding a web server to the DMZ which will require port 1433(sql)to the inside. I had planned on using the same approach, which brings me to my question.
While this configuration seems to work ok, is there a better way to accomplish this? Am I creating a security issue by setting static inside addresses in the DMZ? It just doesn't look right to me, or am I just being paranoid?
Any opinions would be greatly appreciated.
Thanks
name 10.51.x.a mailserv
name 192.168.x.b mailgate
name 10.51.x.c dns1
access-list outside permit tcp any host 208.8.x.b eq smtp
access-list DMZ permit tcp any any eq smtp
access-list DMZ1 permit udp host mailgate host dns1 eq domain
ip address outside 208.8.x.a 255.255.255.0
ip address inside 10.51.x.a 255.255.254.0
ip address DMZ 192.168.x.a 255.255.255.0
global (outside) 1 interface
global (DMZ) 1 interface
global (DMZ) 1 192.168.100.100
static (DMZ,outside) 208.8.x.b mailgate netmask 255.255.255.255 0 0
static (inside,DMZ) mailgate mailgate netmask 255.255.255.255 0 0
static (inside,DMZ) dns1 dns1 netmask 255.255.255.255 0 0
static (inside,DMZ) mailserv mailserv netmask 255.255.255.255 0 0
And in the future I will be adding a web server to the DMZ which will require port 1433(sql)to the inside. I had planned on using the same approach, which brings me to my question.
While this configuration seems to work ok, is there a better way to accomplish this? Am I creating a security issue by setting static inside addresses in the DMZ? It just doesn't look right to me, or am I just being paranoid?
Any opinions would be greatly appreciated.
Thanks